EVENT MANAGEMENT SYSTEMS

US 20160164893A1
Filed: 07/17/2013
Published: 06/09/2016
Est. Priority Date: 07/17/2013
Status: Abandoned Application

First Claim

Patent Images

1. An event management system comprising:

a data storage device to store events received from a plurality of event data sources; and

at least one processor toidentify data for at least one received event to include in a context query;

generate the context query including the identified data;

transmit the context query to a context determination service;

receive query results of the context query from the context determination service;

determine whether a context is provided in the query results, wherein the context describes additional meaning for the at least one event; and

append the context to the at least one event in response to determining the query results include the context.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an example, an event management system determines context for received events. The event management system generates a context query for an event including event data and transmits the context query to a context determination service. Context may be determined from query results provided by the context determination service.

110 Citations

15 Claims

1. An event management system comprising:
- a data storage device to store events received from a plurality of event data sources; and
  
  at least one processor toidentify data for at least one received event to include in a context query;
  
  generate the context query including the identified data;
  
  transmit the context query to a context determination service;
  
  receive query results of the context query from the context determination service;
  
  determine whether a context is provided in the query results, wherein the context describes additional meaning for the at least one event; and
  
  append the context to the at least one event in response to determining the query results include the context.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The event management system of claim 1, wherein the at least one processor is to:
    - determine whether a correlation rule from a plurality of stored correlation rules is associated with the at least one event and the context for the at least one event;
      
      in response to determining the correlation rule is associated with the at least one event, determine whether the correlation rule triggers an action based on the context and the at least one event; and
      
      execute the action in response to determining the context and the at least one event trigger the action according to a condition in the rule.
  - 3. The event management system of claim 1, wherein to identify the data for the at least one event, the at least one processor is to:
    - determine whether additional information for the context query is associated with the at least one event;
      
      request the additional information from an event data source of the plurality of event data sources in response to determining the additional information is associated with the at least one event; and
      
      include the additional information in the context query in response to receiving the additional information from the event data source.
  - 4. The event management system of claim 1, wherein to identify data for the at least one received event to include in the context query, the at least one processor is to:
    - determine whether the at least one event includes information to include in the context query;
      
      in response to determining the at least one event does not include the information for the context query, determine a correlation rule from the plurality of stored correlation rules for the at least one event;
      
      determine whether the correlation rule triggers an action based on event information in the at least one event; and
      
      execute the action in response to determining the at least one event triggers the action according to a condition in the correlation rule and the at least one event information.
  - 5. The event management system of claim 1, wherein the at least one event comprises a set of received events and the at least one processor is to:
    - apply a correlation rule of the plurality of rules to the received events to identify the set of received events.
  - 6. The event management system of claim 5, wherein to identify the data to include the context query, the at least one processor is to identify the data from information associated with all the events in the set of received events.

7. A security information and event management system comprising:
- a network interface to receive events from network devices and computers via a network, wherein each event includes event information describing an action associated with one of the network devices or computers;
  
  a data storage device to store the received events; and
  
  at least one processor tofor each event, determine whether to generate a context query for the event based on event data for the event, and in response to determining to generate the context query, generate and transmit the context query for the event to a context determination service, wherein the context query includes the event data or other data associated with the event;
  
  receive query results from the context determination service based on the context queries;
  
  determine contexts from the query results for the events for which the context queries were transmitted to the context determination service; and
  
  determine from the event data and the contexts whether the events are associated with a security threat.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 15)
- - 8. The security information and event management system of claim 7 comprising:
    - a rules database to store correlation rules; and
      
      the at least one processor is to identify a correlation rule from the rules database associated with at least one of the received events based on the event data for the at least one received event the context for the at least one received event, and determine whether the event is associated with the security threat from the identified correlation rule.
  - 9. The security information and event management system of claim 8, wherein the at least one processor is to aggregate received events having similar event data according to the identified correlation rule, and determine whether a condition in the correlation rule is satisfied based on the aggregated events to determine whether the security threat exists.
  - 10. The security information and event management system of claim 7, wherein the security threat comprises at least one of access or attempted access to information predetermined to be a security risk or distribution of the information predetermined to be the security risk.
  - 11. The security information and event management system of claim 7, wherein to determine the contexts, the at least one processor is to:
    - determine whether the contexts are provided in the query results; and
      
      in response to determining the contexts are provided in the query results, append each context to the corresponding event.
  - 12. The security information and event management system of claim 7, wherein to determine whether to generate the context query for the event, the at least one processor is to identify a set of the received events based on a correlation rule and generate the context query for all the events in the set based on the event data for all the events.
  - 13. The security information and event management system of claim 7, wherein each of the contexts for the events describes additional meaning for the corresponding event not provided in the event data.
  - 15. The non-transitory computer readable medium of claim 12, wherein the machine readable instructions are executable to:
    - determine a correlation rule from a plurality of stored correlation rules for the context and the event;
      
      determine whether the correlation rule triggers an action based on the context and the event; and
      
      execute the action in response to determining the context and the event trigger the action according to a condition in the rule.

14. A non-transitory computer readable medium including machine readable instructions executable by at least one processor to:
- receive an event at a management system;
  
  identify data for the event to include in a context query;
  
  generate and transmit a context query, including the identified data, to a context determination service;
  
  receive query results for the context query from the context determination service;
  
  determine context for the event from the query results; and
  
  append the context to event data for the event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Levi, Eliav

Application Number

US14/895,233
Publication Number

US 20160164893A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/215   Improving data quality; Dat...

G06F 16/24575   using context

G06F 16/284   Relational databases

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

EVENT MANAGEMENT SYSTEMS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT MANAGEMENT SYSTEMS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links